1selabel_db(5)              SELinux API documentation             selabel_db(5)
2
3
4

NAME

6       selabel_db  - userspace SELinux labeling interface: DB objects contexts
7       backend.
8

SYNOPSIS

10       #include <selinux/selinux.h>
11
12       #include <selinux/label.h>
13
14       int selabel_lookup(struct selabel_handle *hnd,
15                          security_context_t *context,
16
17                          const char *object_name, int object_type);
18
19

DESCRIPTION

21       The DB contexts backend maps from a pair of object name and class  into
22       security contexts. It is used to find the appropriate context for data‐
23       base objects when relabeling a certain database.
24
25       The object_name should be fully qualified name using the  hierarchy  of
26       database  objects.   For  example,  the  pg_class table in the postgres
27       database and pg_catalog schema should be qualified as postgres.pg_cata‐
28       log.pg_class .
29
30       The object_type argument should be set to one of the following values:
31
32       SELABEL_DB_DATABASE
33              The  object_name  argument  specifies  the  name  of  a database
34              itself, such as "postgres".
35
36       SELABEL_DB_SCHEMA
37              The object_name argument specifies the name of a schema  object,
38              such as "postgres.public".
39
40       SELABEL_DB_TABLE
41              The  object_name  argument specifies the name of a table object,
42              such as "postgres.public.my_table"
43
44       SELABEL_DB_COLUMN
45              The object_name argument specifies the name of a column  object,
46              such as "postgres.public.my_table.user_id"
47
48       SELABEL_DB_TUPLE
49              The  object_name  argument  specifies the name of a table object
50              which contains the  tuples  to  be  relabeled,  such  as  "post‐
51              gresql.public.my_table".  Note  that  we have no way to identify
52              individual tuple objects, except for WHERE clause on DML  state‐
53              ments, because it has no name.
54
55       SELABEL_DB_PROCEDURE
56              The  object_name  argument  specifies  the  name  of a procedure
57              object, such as "postgres.public.my_func". Note  that  we  don't
58              support  to  lookup individual security contexts for each proce‐
59              dures which have same name but different arguments.
60
61       SELABEL_DB_SEQUENCE
62              The object_name  argument  specifies  the  name  of  a  sequence
63              object, such as "postgres.public.my_seq".
64
65       SELABEL_DB_BLOB
66              The  object_name  argument specifies the name of a large object,
67              such as "postgres.16308".  Note that a  large  object  does  not
68              have its name, so it is identified by its identifier value.
69
70

OPTIONS

72       In  addition  to  the global options described in selabel_open(3), this
73       backend recognizes the following options:
74
75
76       SELABEL_OPT_PATH
77              A non-null value for this option specifies a path to a file that
78              will  be  opened  in  lieu of the standard DB contexts file.  It
79              tries to open the specfile designed  for  SE-PostgreSQL  in  the
80              default,  so  if  another RDBMS uses this interface, it needs to
81              give an explicit specfile designed for the RDBMS.
82
83

SEE ALSO

85       selabel_open(3), selabel_lookup(3), selabel_stats(3), selinux(8)
86
87
88
89
90                                  22 Nov 2009                    selabel_db(5)